RSH RACF Tips
- Volume 13, Issue 3
- Password
Phrase Console Logon
- Owner Authority & RACLIST
- Auditors: IBMUSER
- OPERATIONS - Dataset Creation
- TSO CANCEL and Exit IKJEFF53
- JESJOBS Resource Name Increase
- Loading IRRDPI00 at Startup
- JES NJE Security Health Checks
|
July 2019
50th
Issue |
RSH RACF Tips
- Volume 13, Issue 2
- Password
Phrases and z/OS FTP
- CDT - 1,024 Limit on Classes
- Tips on setgid
- Printing RACF Healthchecks II
- Auditors: RACF 'AUDIT'
- Catalog Alias Administration
- SU in ISPF 3.17 (UDLIST)
- Monitor IRRUT100
|
April 2019 |
RSH RACF Tips
- Volume 13, Issue 1
- Protect
Confidential RACF Data
- SETROPTS RACLIST(DIGT-class) REFRESH Delegation
- Intrusion Detection in z/OS
- Multiple Console Logons
- Batch Print RACF Healthchecks
- Auditors: SPECIAL Auditing
- Tips When Batching Commands
- SEARCH CLIST Line Numbers
- Monitoring Password Changes
|
Jan 2019 |
RSH RACF Tips
- Volume 12, Issue 4
- FTP JES
Interface RFE
- Group Dataset Profile Owner
- VSAM Access Check Bypass
- DUMP FULL and DASDVOL
- Permitting Temporary Access
- New STGADMIN Resources
- BPX.STICKYSUG
- Auditors: SETROPTS
|
Oct 2018 |
RSH RACF Tips
- Volume 12, Issue 3
- DSMON -
NOPASS_ALLOWBATCH
- Z/OS 2.3 - 8-Character TSO IDs
- Hacking Z - Clear-text Passwords
- Pathname in Unix SMF Records
- Command Violation Anomaly
- CDT vs. ICHRRCDE Class Deletion
- IBM Classes Defined by CDT Profiles Now In ICHRRCDX
- New CICS 5.4 Resources
- PRIVILEGED + TRUSTED
- Auditors: Ensure "Authorized" Program Libraries are
Protected
- Shadow and ICHRIX02
|
July 2018 |
RSH RACF Tips
- Volume 12, Issue 2
- IRRRID00
EXIT Statement
- ISPF Unix Violations Not logged
- EXECUTE Access Permission
- Started Task Logon Logging
- CFIELD and CSDEF Deletion Affects CSDATA Field Admin
- Long Commands Trip Up IRRADU00
- EOS and PPRC
- Auditors: DASD Sharing Affects Audit Scope
|
April 2018 |
RSH RACF Tips
- Volume 12, Issue 1
- Proper RACF
Database Allocation
- Unix - UID Displayed, not USERID
- Limiting Scope for FIELD Authority
- Pervasive Encryption & DFP Segment Administration
- Recent SDSF RACF Changes
- z/OSMF ZMFAPLA Tips
- FASTAUTH - No Audit, No ICH408I
|
Jan 2018 |
RSH RACF Tips
- Volume 11, Issue 4
- RACF 2.3
SETROPTS ENHANCEDGENERICOWNER
- SMF Logging for Logons
- Grouping Profile Member Sequence
- Auditors: Understanding SMF
- LDAP & SUPERUSER.FILESYS
- JESSPOOL SYSLOG Resource
- RACF 2.3 WORKATTR WAEMAIL
|
Oct 2017 |
RSH RACF Tips
- Volume 11, Issue 3
- RSH
Consulting 25th Anniversary
- PROGRAM Protection & LPA
- JESJOBS GROUPREG Resources
- z/OS 2.2 IRRDBU00 Database Unload
- "List of Groups" Checking & UNIX
- z/OS 2.2 ADDUSER NOPASSWORD
- RACF SMF Factoid - TRUSTED
- Auditors: Check for Stronger Password Encryption
"I do find the newsletters
very informative. Sometimes about new things and other times
reminding me of things I had forgotten. I look forward to
them." Casey Parker, State Compensation Insurance
Fund
|
July 2017 |
RSH RACF Tips
- Volume 11, Issue 2
- CICS &
KDFAES
- SMF Unload Errors Due To Record Format Changes
- ICB & RCVT
- POSIT
- CLAUTH
- &RACGPID & DFLTGRP
- z/OS 2.3 Preview - UID(0) Display
|
April 2017 |
RSH RACF Tips
- Volume 11, Issue 1
- PPT NOPASS
Change
- NOREVOKE = RESUME
- WARNING SMF Records
- AUDITORS: Review the Global Access Table (GAT)
- RACFRW Limitations
- Logging FTP JES Activity
- CIM and SURROGAT
|
Jan 2017 |
RSH RACF Tips
- Volume 10, Issue 4
- Password
Disclosure in SMF
- FDR & DASDVOL
- AUTOMOUNT Security Issues
- CA-TPX Logon Logging
- IRRDBU00 Record Sequence
- EXEC.RACF.CLIST PDS
- CEA and /var/CEAServer
|
Oct 2016 |
RSH RACF Tips
- Volume 10, Issue 3
- RACF SMF
Tidbits
-"Hidden" Profiles
-Broken DFLTGRP Connect
-Accurate IRRDBU00 Unloads
-Auditors: Review JES2 PROCLIB Protections - Part 1
-SDSF SECURITY TRACE
"First of all I want
to thank you for your information we always get with your
newsletter. It has given us some valuable details many times
already, so we could enhance some of our RACF definitions
even more, which we really appreciate." Erika
Theiler, AXA Technology Services
|
July 2016 |
RSH RACF Tips
- Volume 10, Issue 2
- DSMON -
LINECOUNT 0
- Unix Protection Loophole
- Auditors: Review DITTO and FILE Manager DISK.FULLPACK
- SECLEVELAUDIT 64 Error
- PROGRAM Class Anomalies
- Finding RACF Exit Modules
- Catch-all / Backstop Profile
- TSO PASSWORDPREPROMPT
- Prevent Anonymous FTP Job
|
April 2016 |
RSH RACF Tips
- Volume 10, Issue 1
- CICS 5.2
Supplied Transactions
- z/OS 2.2 - Console Timeout
- z/OS 2.2 - IQPINIT PPT Entry
- CA Product RACLIST
- RACF Requests for Enhancements (RFE)
- Auditors: Review System Dataset Protection
- IRRDBU00 - READ Access
|
Jan 2016 |
RSH RACF Tips
- Volume 9, Issue 4
- RSH RACF
Overview
- SUPERUSER.FILESYS.DIRSRCH
- Clear an ID's Password History
- The End of Masked Passwords
- TSO IDs - 7 Characters or Less
"I enjoy getting your
newsletter. It is a good publication and I thank you for
that service." Wade Juza, Acuity Insurance
|
Oct 2015 |
RSH RACF Tips
- Volume 9, Issue 3
- Coming in
z/OS 2.2 - ROAUDIT
- Helpful TSO PROFILE Options
- Protecting Datasets with Single Qualifier DSNAMEs
- Profile CONNECT Entries
- Auditors: RACF Staffing Levels
- Missing TMON Resources
- USER.OMVS.UID & SHARED.IDS
|
July 2015 |
RSH RACF Tips
- Volume 9, Issue 2
- Shorter
Password Phrases
- TSO STATUS, CANCEL, OUTPUT
- ASG-Zeke Resource Classes
- SURROGAT Profile Owner
- AUTOPROF SMF Event Records
- Base64 Messages in RACF-L
- INITOEDP SMF Event Records
- Auditors: Profile Creator Access
- Orphaned OWNERs and GROUPs
|
April 2015 |
RSH RACF Tips
- Volume 9, Issue 1
- RACF
Password Enhancements
- BPX.SAFFASTPATH Addendum
- WebSphere MQ RACLIST
- Unknown Operator Commands
- CA Common Services & MAXTHREADS
- Finding Undefined User Logons
- WARNING Contest Winner
- AUDIT NONE Becomes READ
- Auditors: Find Responsible Party
- REVOKED & BPX.UNIQUE.USER
"The newsletter is always
useful. I have picked up numerous tips and tricks from it
over the years. Thanks." Bob Young, Capital One
|
Jan 2015 |
RSH RACF Tips
- Volume 8, Issue 4
- OPERCMDS
Resource Prefixes
- Started Tasks & REVOKE
- PROTECTED & INACTIVE
- Outsource Risk
- z/OS Unix Command History
- WARNING Contest
- Auditors: Ensure SETROPTS JES(BATCHALLRACF) is active
- Invalid RACF Activation Code
|
Oct 2014 |
RSH RACF Tips
- Volume 8, Issue 3
- Default UACC
& Connect UACC
- Operator Command Entry
- Auditors: Ensure OPERATIONS is Controlled, Part 4
- Comparing z/OS Unix and RACF
- Special Grouping Classes
- z/OS 2.1 REXX EXECIO Control
|
July 2014 |
RSH RACF Tips
- Volume 8, Issue 2
- z/OS 2.1
TRUSTED Tasks
- SDSF Destination Operators
- z/OS 2.1 APPL CBDSERVE
- FSSEC and ACL Activation
- TRUSTED UAUDIT SURROGAT
- z/OS 2.1 JES2 Modify Service
- Auditors: Ensure OPERATIONS is Controlled, Part 3
"You do a great job of
making RACF information understandable and available."
Harold Clough, DISA
|
April 2014 |
RSH RACF Tips
- Volume 8, Issue 1
-
CHOWN.UNRESTRICTED
- @RSH_RACF on Twitter
- BPX Profiles & Superuser
- Auditors: Ensure OPERATIONS is Controlled, Part 2
- CA-1 CDT Entries
- IRRHFSU Utility Update
|
Jan 2014 |
RSH RACF Tips
- Volume 7, Issue 4
- Deleting
UNIVERSAL Groups
- TFS FSP
- Auditors: Ensure OPERATIONS is Controlled, Part 1
- CA ENDEVOR Resource Class
- Replacing an Access List
|
Oct 2013 |
RSH RACF Tips
- Volume 7, Issue 3
- IRRHFSU
Enhancements
- z/OS 1.13 TRUSTED Tasks
- Group GID(0)
- RACDCERT LIST Clarification
- Group GID VLF Problem Update
- FIELD Authority to Add an Empty Segment or Delete a
Segment
- Auditors: Ensure Effective Use of RESTRICTED
- Class SYSAUTO
"I have
been getting my RACF newsletters, and I definitely enjoy
reading them. They're always full of good information."
Janice Loar, John Deere
|
July 2013 |
RSH RACF Tips
- Volume 7, Issue 2
- Improved
RACF Googling
- SURROGAT Contest Winner
- IRRUT200 ACTIVATE Hang
- DEFINE RECATALOG Check
- Protecting Program EDGINERS
- Auditors: Check the PPT
- RACF FMID Reference
- RACF Health Checker Issues
- Group GID VLF Cache Problem
|
April 2013 |
RSH RACF Tips
- Volume 7, Issue 1
- Protect
Shutdown Commands
- Custom Field Names
- RRSF & Batches of Commands
- UNIX sudo & sudoedit
- Auditors: Confirm Started Task and Batch IDs are PROTECTED
- SURROGAT Contest
- FIELD Permits to &RACUID
|
Jan 2013 |
RSH RACF Tips
- Volume 6, Issue 4
- RRSF & TCPIP
Communication Failure Issue
- AIM Conversion Lockup Issue
- FASTAUTH & DEFAULT TOKEN
- ABEND Due to FROM Profile With Undefined OWNER
- Many More FACILITY Resources
- Unix Default User & MAXUIDS
- ITOM Resource Name Error
- Unix Path Names in SMF Unload Records Can Have // Prefix
- Identify Underlying zFS Dataset
|
Oct 2012 |
RSH RACF Tips
- Volume 6, Issue 3
- To All Our
Clients - Thank You!
- REQUEST=VERIFY & GLOBAL
- FACILITY BPX.SAFFASTPATH
- SMF Type 30 Records
- Auditors: Confirm PROTECTALL is Active
- More on Replacing BPX.DEFAULT.USER
- Listing CA-1 Security Options
|
July 2012 |
RSH RACF Tips
- Volume 6, Issue 2
- Replacing
BPX.DEFAULT.USER
- Additional GLOBAL Entries
- Temporary Dataset Protection
- Auditors: Review Tape BLP Authority
|
April 2012 |
RSH RACF Tips
- Volume 6, Issue 1
- CICS TS 4.2
& RACF
- RACF-L Internet Discussion List
- Auditors: Review PROGRAM Protection
- Beware Making the Unix Default User a File or Directory
Owner
- ISPF 3.17 MA Line Command
- Protect TCP/IP Low Ports
- TSO User Data Sharing
|
Jan 2012 |
RSH RACF Tips
- Volume 5, Issue 4
- z/OS UNIX
Security Enhancement
- Duplicate JOBINIT Records
- Indicate Permit Level in DATA
- Is * or ** More Specific? (Answer)
- Auditors: Review Tape Dataset Protection Bypass Authority
- Password Reset Authority Delegation
- CF Rebuild Can Hang Sysplex
|
Oct 2011 |
RSH RACF Tips
- Volume 5, Issue 3
- z/OS
Security & Integrity APARs
- Performance Tip: IRRDBU00
- Monitoring Using JESJOBS
- IRRHFSU & UAUDIT
- Auditors: Review SETROPTS AUDIT(classes)
- Your Unix Default User May Own Files & Directories
- More FACILITY Resources
- Grouping Profile Name Length
|
July 2011 |
RSH RACF Tips
- Volume 5, Issue 2
- Trust SMS
- Proper RACF Database Backup
- Demise of BPX.DEFAULT.USER
- MVS.DISPLAY.TCPIP
- RACF Administrator's DFLTGRP
- RACF Protect TCP/IP Ports
- Auditors: Review Password Minimum Change Interval
|
April 2011 |
RSH RACF Tips
- Volume 5, Issue 1
- IGGCSI00 and
Catalog Access
- Prevent Connection Mishaps
- WHEN(CONSOLE(SDSF))
- Websphere Library Change
- Performance: CA-Endevor LAT
- Auditors: Check Password History Option
|
Jan 2011 |
RSH RACF Tips
- Volume 4, Issue 4
- SMP/E
Protection
- Performance: GENERICANCHOR
- Correction: FILEPROCMAX
- FASTAUTH Now Honors TRUSTED and PRIVILEGED
- Auditors: Check User Password Change Intervals
- IPv4 Terminal IDs
|
Oct 2010 |
RSH RACF Tips
- Volume 4, Issue 3
- Goodbye
VSAMDSET and SYSCTLG
- DB2 DDF and FILEPROCMAX
- Deleting an
Invalid Profile Containing Character '('
- OPERCMDS Profile Prefixes
- Auditors: Check for Weak Password Rules
- Performance: CICS USRDELAY
- SEARCH LEVEL(nn)
|
July 2010 |
RSH RACF Tips
- Volume 4, Issue 2
- FTP and JES
- Quick LD in ISPF 3.4 DSLIST
- Eliminating
Discrete 'Generics'
- Auditors: Validate PROGRAM Profile Libraries
|
April 2010 |
RSH RACF Tips
- Volume 4, Issue 1
- Custom Field
List Titles
- Safely Implement PROTECTED
- Auditors: Verify LOGOPTIONS are set to log z/OS Unix
events
- ISPF 3.17 Udlist - List Unix Files & Directories
|
Jan 2010 |
RSH RACF Tips
- Volume 3, Issue 4
- Reducing
Unix Superuser Use
- Should You Monitor or Restrict LISTDSD, RLIST, or SEARCH?
- List All SETROPTS Options without System-AUDITOR
- SMF Unload
LRECL Change
- Auditors:
Review Access Permitted to *
- Restrict Use of DSMON
|
Oct 2009 |
RSH RACF Tips
- Volume 3, Issue 3
- RACLIST
REFRESH & STARTED
- AUDITOR UNIX APAR
- RMM Superuser
- RESTRICTED &
UNIX Access
- SEARCH
Command Mystery (Answer)
- Auditors: Verify Tape Data Protection is Active
- TSO APPL
Class Resource
|
July 2009 |
RSH RACF Tips
- Volume 3, Issue 2
- TEMPDSN and
CA-Endevor
- JESINPUT
- Performance: Database Reorg
- Auditors: PRIVILEGED and TRUSTED Started Tasks
|
April 2009 |
RSH RACF Tips
- Volume 3, Issue 1
- Specifying a
Replacement ID with IRRRID00
- Recent APARs
of Interest
- Temporary
Access with CONNECT REVOKE(date)
- Auditors:
How to Examine z/OS Unix Directory and File Security
- Limit on DB2
Secondary AUTHIDs Raised
|
Jan 2009 |
RSH RACF Tips
- Volume 2, Issue 4
- Authority to
Administer Unix Directory & File Permissions
- Performance:
Avoid SETROPTS GENERIC(DATASET) REFRESH
- Auditors:
Find and Investigate Profiles in WARNING
|
Oct 2008 |
RSH RACF Tips
- Volume 2, Issue 3
- OPERATIONS
Authority Considerations
- Avoiding
Output Browse Violation Messages in SDSF
- z/OS Unix
Use Control
- Auditors:
Review ALTER Access to Catalogs
|
July 2008 |
RSH RACF Tips
- Volume 2, Issue 2
- LISTDSD
Hints
- Sharing
Output in SDSF (Without JESSPOOL Permission)
- Auditors:
Review RACFVARS Profile &RACLNDE
|
April 2008 |
RSH RACF Tips
- Volume 2, Issue 1
- Practical
Uses for LEVEL
- CSA Storage
Protection
- Auditors:
Verify FDR's RACF Interface is Active
|
Jan 2008 |
RSH RACF Tips
- Volume 1, Issue 3
- Performance:
Resident Data Blocks (RDBs)
- Auditors:
Review Outbound NJE Transmission Controls
|
Oct 2007 |
RSH RACF Tips
- Volume 1, Issue 2
- Entering
RACF Commands at the Console
- Performance:
NOYOURACC
- Auditors:
Review DITTO and FILE Manager DISK.FULLPACK
|
July 2007 |
RSH RACF Tips
- Volume 1, Issue 1
- Avoiding
DFSMShsm Recalls with ARCCATGP
- Performance:
Increase your Enqueue Residency - ERV
- Enable
Logging of Access to CA's ENDEVOR Resources
- Auditors:
Review SURROGAT Batch Submit Authority
|
April 2007 |
